Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff1d490b52818c3c…

MALICIOUS

PDF

42.6 KB Authoring application: PDFBox
MD5: 55f30329c0522618a13e42d36fa36abf SHA-1: 6500df381c2650bd2f156729d198192175d87bb0 SHA-256: ff1d490b52818c3ce71c31fc21f994ea2184608e300be5d840dcea6b6b213ff1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a phishing or traffic redirection intent. The embedded URLs point to various domains, all structured similarly, indicating a coordinated effort to direct users to potentially malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://autotransportcheap.com/uploads/1/3/0/4/130483513/13be25a1a5da5a.pdf
    • http://www.estlife.eu/uploads/1/3/0/6/130620217/xamotutumirazol.pdf
    • http://startleaders.com/uploads/1/3/0/4/130488357/zefifigos.pdf
    • http://stellarosemarywalling.com/uploads/1/3/0/8/130813571/wemefonibenuwer_kowuxi.pdf
    • http://adentamexico.com/uploads/1/3/0/7/130774965/vaxir-tuwomutoniji.pdf
    • http://store.maryscheesecakes.com/uploads/1/3/0/5/130590082/zitarezemen.pdf
    • http://marlincourtmotel.co.nz/uploads/1/3/0/7/130738855/43bf36.pdf
    • http://jkjlawnsprinkler.com/uploads/1/3/0/4/130476921/274612.pdf
    • http://www.handmadekitchensedinburgh.com/uploads/1/3/0/4/130476866/ed33bf.pdf
    • http://kakkelovner.com/uploads/1/3/0/4/130483248/fc738a8955.pdf
    • http://myhtri.net/uploads/1/3/0/2/130273913/1599549.pdf
    • http://miam-foundation.com/uploads/1/3/0/6/130621622/5163e.pdf
    • http://elitepartnersllc.net/uploads/1/3/0/7/130739910/29019161338.pdf
    • http://mydanielswaterfrontcondo.com/uploads/1/3/0/6/130603810/kufimemajilifagi.pdf
    • http://sassysandraboutique.com/uploads/1/3/0/5/130590355/4bddd46c02fa37.pdf
    • http://casbaad.it/uploads/1/3/0/2/130289345/7b69bbb8141.pdf
    • http://shanleighhair.com/uploads/1/3/0/4/130436318/kotemodovevizoj.pdf
    • http://playersshack.com/uploads/1/3/0/5/130590208/gitagiwetevegiwile.pdf
    • http://stavrias.com/uploads/1/3/0/2/130272295/rumejifo.pdf
    • http://sta-66-99-58-206.ladse.org/uploads/1/3/0/3/130323908/130323908.html#2+bit+full+adder+logic+diagram
    • http://myhtri.net/upload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ec2.bin
5d5b4e4e2925caeeb6af5a586a5fb1ab5273178fc2af94946571e7cf67381e36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EC2 16272 bytes
font_01_sfnt_off000046fc.bin
6be9f8c1d46f88a64ba49369ca19f695133edda7695bad00159529be5b82bf16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46FC 8224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.